On Fri, Mar 8, 2013 at 2:23 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Mar 7, 2013 at 7:29 PM, Adam Barth <w3c@adambarth.com> wrote:
>> I don't have strong feelings one way or another. Generally, I think
>> it's a good idea if the presence of the Origin header isn't synonymous
>> with the request being a CORS request because that could limit our
>> ability to use the Origin header in the future.
>
> Okay. So currently the mix of the Origin specification and the HTML
> specification suggests you either do "Origin: /origin/" or "Origin:
> null". However WebKit seems to do "Origin: /origin/" or no header at
> all (for the "privacy-sensitive" cases). Ian also mentioned that we
> can not just put the Origin header into every outgoing request as that
> breaks the interwebs (per research you did for Chrome I believe?).
>
> What do you think we should end up requiring?
I would recommend including an Origin header in every non-GET request
(and, of course, in some GET requests because of CORS).
Adam